<!-- Kamailio Pull Request Template -->
<!-- IMPORTANT: - for detailed contributing guidelines, read: https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md - pull requests must be done to master branch, unless they are backports of fixes from master branch to a stable branch - backports to stable branches must be done with 'git cherry-pick -x ...' - code is contributed under BSD for core and main components (tm, sl, auth, tls) - code is contributed GPLv2 or a compatible license for the other components - GPL code is contributed with OpenSSL licensing exception -->
#### Pre-Submission Checklist <!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply --> <!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above--> <!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list --> - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated)
#### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [x] Optimization
#### Checklist: <!-- Go over all points below, and after creating the PR, tick the checkboxes that apply --> - [ ] PR should be backported to stable branches - [x] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number)
#### Description Kamailio TLS mod_init is creating one SSL_CTX, per process, some of the fonctions are taking between 1-3 seconds to execute, this is slowing down the startup sequence greatly. ``` SSL_CTX_load_verify_locations SSL_CTX_set_client_CA_list // list sent to the client SSL_load_client_CA_file SSL_CTX_get_client_CA_list ```
In fact it is safe to share the SSL_CTX since it is only used to store settings that will be used to internalize new structure, see the documentation reference : ``` tls: faster startup using shared SSL_CTX
https://www.openssl.org/docs/man1.1.1/man7/ssl.html SSL_CTX (SSL Context) This is the global context structure which is created by a server or client once per program life-time and which holds mainly default values for the SSL structures which are later created for the connections. ```
I load tested this with 1000 TLS connections. We could push the refactoring further, this simple modification as a huge impact since the functions are now called only once per SSL / SNI, not per process ...
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/1585
-- Commit Summary --
* tls: faster startup using shared SSL_CTX
-- File Changes --
M src/modules/tls/tls_domain.c (29)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/1585.patch https://github.com/kamailio/kamailio/pull/1585.diff
Is this impacting in any way the reload commands that can be done at runtime?
I didn't have the time to look properly at libssl api on this topic, if you want a merge on fast lane, I am open to do it if this is made a config option via modparam for tls module, with the default value that keeps the behaviour like it is now.
Q: Is this impacting in any way the reload commands that can be done at runtime? A: not tested, based on the assumption that SSL_CTX is only a storage for "default values", this should not be a problem, I will test it in case the documentations and other sources of information may be wrong (or study the openssl source code further) to be absolutely certain.
In the mean time, as you proposed we could make it optional, in the end this is becoming a problem when you have multiple "config" and many processes because this delay is multiplied. (# process * # config) So this optimisation, may not be needed by everyone. Main value is to have faster kamailio restart.
After SSL_CTX is not only containing default settings but hash of sessions, this seems to be thread safe using a locks.
``` SSL_CTX_add_session CRYPTO_THREAD_write_lock(ctx->lock); ... CRYPTO_THREAD_unlock(ctx->lock); ```
OpenSSL can be safely used in multi-threaded applications provided that support for the underlying OS threading API is built-in. Currently, OpenSSL supports the pthread and Windows APIs. OpenSSL can also be built without any multi-threading support, for example on platforms that don't provide any threading support or that provide a threading API that is not yet supported by OpenSSL.
Not sure if there could be a pitfall for forking process, better keep the default value as it is.
It seems another option, could be to copy only the X509_store
I understand that the conclusion at this point is not to merge it (at least, yet).
Thanks for the review, I will revisit and re open later
Closed #1585.
-
Daniel-Constantin Mierla -
Julien Chavanton